Palestinan Khalil Shreateh sits in front of his his computer at his home in the West Bank town of Yatta, Monday, Aug. 19, 2013 (Photo: Nasser Shiyoukhi/AP)

This is a great story that has gotten a lot of attention in the tech community. A Palestinian hacker named Khalil Shreateh kept reporting a bug in the Facebook code to Facebook, but techs blew him off. Finally he hacked Mark Zuckerberg’s page to post the bug there, along with an apology. “Sorry for breaking your privacy. I has no other choice… as you can see iam not in your friend list and yet i can post to your timeline.”

All hell broke loose, and Facebook cut off Shreateh’s Facebook page and also refused to give him the reward Facebook advertises for techies who discover glitches. The hacker community stepped up and rallied to reward him via a fundraising campaign on GoFundMe that has already raised over $11,000.

And now the hacker– who has used the portraits of Edward Snowden and the lateAaron Swartz, above, in his profiles– has become a global folk hero, and Zuckerberghas egg on his Facebook.

The story has been propelled by Shreateh’s devilish chops, sense of humor, and English. “Hello guys, this will be English and Arabic,” the bilingual youth wrote, in a viral video on the “exploite” that he put together to prove that he’d discovered the glitch.

I can only imagine the political dimensions of this story. Shreateh lives in occupied Yatta, a city in the West Bank that is a core site for warehousing people who are being moved off their lands. And as Alex Kane noted to me, all Palestinian stories are political:

In the U.S., we’ve been trained to views Palestinians crudely; I imagine if you ask Americans what’s the first thing you think of when you think of Palestine, they would say Islamists, Hamas or war. But Shreateh is a reminder that this is a sophisticated society, one of the most highly educated in the world. Of course elements of Palestinian society are still tied to traditional ways of living–and there’s of course nothing wrong with that–but Palestinians are a part of our world, our hyperconnected Internet-infused world.

Right, that’s what’s thrilling about Shreateh. He destroys stereotype, and does it with brilliance, mischief, and some good oldfashioned resistance.

OK, some of the facts. From a tech site: “Snubbed by Facebook, Security researcher hacks Mark Zuckerberg’s Facebook page.”

Although Shreateh’s Facebook account was soon reactivated, he was told he wouldn’t qualify for Facebook’s bug-bounty program, which rewards researchers who find security flaws with payments ranging from $500 to $5,000.

“We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service” by making an unauthorized posting to a member’s page, the email message Shreateh received said. “We do hope, however, that you continue to work with us to find vulnerabilities in the site.”

To Shreateh, who says on his blog that he’s unemployed, this was unfair.

“I could sell” the exploit in underground malware bazaars, he told CNNin an interview. “I could make more money than Facebook could pay me.”

Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list .

His account of the “exploite” is charming. At one point he used a Zuckerberg friend’s facebook page to try and get his message across.

Sarah Goodin is the girl that was in the same college with Mark Zuckerberg .

Apparently, Palestinians don’t have Harvard worship.

Then here’s some of his traffic with facebook techs:

as usual they ignored my replay so i did report another , this email shows their replay to my second report including the report :

Hi Ḱhalil, I am sorry this is not a bug. Thanks, Emrakul Security Facebook

Well after a couple of these notes, Khalil proved his point by going to Zuckerberg’s page.

i know that you guys now know that it’s a bug for sure after facebook.com/ola deactivate my account which is& i want my account back soon as possible , as i report the bugs for you and i didnt use another fake accounts or test accounts to break privac

Facebook didn’t accept his story, and Shreateh called B.S. on it.

i replay back that facebook report page has a ” prove concept ” and i cant prove without sending pictures or video . that is bullshit

after my second report i record this video which shows the exploit , i was rush recording it cause they was able to close that exploit in any second :

Ḱhalil you should realize that making so many grammar and spelling mistakes causes you to be taken less seriously by the rest of the world.

Ondrej Zastera celebrated him:

Hi Ḱhalil,

you made a serious discover that could affect millions of people and you didn’t abuse it. You did the opposite thing – you reported it to the qualified persons.

The level of understanding is relative. If something is unclear, questions should be raised. You were obviously ready to co-operate.

No matter what, you deserve a certain kind of reward for sure. Facebook statement is just a shameful excuse for not giving it to you. You deserve a credit, not a disrespectful treatment we see here.

AP managed to get a photo of Shreateh (above) in Yatta and describes the job offers.

The stunt cost the 30-year-old Palestinian the bounty, but earned him praise — and numerous job offers — for being able to get to the boss of the world’s most ubiquitous social network.

Shreateh, who lives near the West Bank city of Hebron and has been unable to find a job since graduating two years ago with a degree in information technology, told Facebook that he found a way that allowed anyone to post on anyone else’s wall. “I told them that you have a vulnerability and you need to close it,” he told The Associated Press. “I wasn’t looking to be famous. I just wanted to make a point to Mark (Zuckerberg).”…

The bug — and Facebook’s response to it — has become a talking point in information security circles, with many speculating that the Palestinian could have helped himself to thousands of dollars had he chosen to sell the information on the black market.

Shreateh said he was initially disappointed by the Facebook response but that after being inundated by job offers from all over the world he is pleased with how things worked out.

“I am looking for a good job to start a normal life like everybody,” he said. “I am so proud to be the Palestinian who discovered that exploit in Facebook.”

YATTA, West Bank – “You’ve no idea what I’ve done,” Khalil Shreateh said, bursting into the kitchen of his family’s stone-and-concrete house in the South Hebron Hills. The stocky 30-year-old Palestinian ran a hand through his already haphazard hair. “I just posted on Mark Zuckerberg’s wall.”

“You’re kidding,” said his sister, 22-year-old Nibal. She’d just tried sending her brother a message over Facebook, and was surprised to find his account mysteriously deactivated. Now she could guess why. “Stay away from big people, brother!”

“I’m going to take a nap,” Shreateh shrugged. “Hopefully they’ll give me back my page when I wake up.”

Facebook CEO Mark Zuckerberg. Photo: Carlos Serrao

It was August 14, and Shreateh had just reached halfway around the world to pull off a prank that would make him the most famous hacker in the Israeli-occupied West Bank. He’ddiscovered a Facebook bug that would allow him to post to another user’s wall even if he wasn’t on the user’s friends list. Demonstrating the bug on Zuckerberg was a last resort: He first reported the vulnerability to Facebook’s bug bounty program, which usually pays $500 for discoveries like his. But Facebook dismissed his report out of hand, and to this day refuses to pay the bounty for the security hole, which it has now fixed.

Where Facebook failed, though, techies from across the world stepped in to fix, crowdfunding a $13,000 reward for Shreateh. Now that money, and Shreateh’s notoriety, is about to launch the former construction worker into a new life. He’s using the funds to buy a new laptop and launch a cybersecurity service where websites will be able to request “ethical hacking” to identify their vulnerabilities. And he’s started a six-month contract with a nearby university to find bugs as part of their information security unit. He hacks and reports flaws on other universities’ sites in his free time.

“If they offer money I do not reject them, but I did not ask for money,” Shreateh says. “I don’t seek much money, only a job and a good life.”

Shreateh’s life so far hasn’t been easy. Born in Jerusalem and raised here in Yatta, an agricultural town known for its grapes and olives, he has never stepped foot outside the West Bank. Shreateh’s mother died of a heart attack when he was 13. His father, who worked as a manual laborer for an Israeli agricultural company, died of a similar heart problem three years later, leaving Shreateh orphaned along with Nibal and two other siblings.

That was 1999, the same year computers came to the Hebron area. Shreateh was 16, and he began taking shared taxis to Hebron to visit the city’s only Internet café, paying 10 shekels for the round-trip and 3 shekels for an hour online. Then in 2002, Shreateh discovered the world of hacking. “I got hacked by a Kuwait kid because I was talking to his cousin. I think he was in love with her,” Shreateh says. “Then I found hack forums. I started learning how to hack PCs and personal accounts.”

Shreateh began a degree in information systems at Al-Quds Open University — eight 15-hour semesters at about $320 per semester, which took Shreateh 10 years to finish. He worked a construction job from 7 a.m. to 7 p.m., so he rarely attended class, instead studying and completing assignments at night. “At exam times I quit my work to study,” Shreateh says. “I had to delay some semesters because I didn’t always have money.”

In the meantime he learned programming online. “You can learn anything from the Internet,” Shreateh says. “It just takes time. Months, you know, maybe years. Even my English, I learned it from chatting.”

Shreateh eventually got his own computer (“It was Intel, I think, a big one”), and then Yatta’s local Internet café hired him as a troubleshooter. He was able to give up construction for a while, taking odd website design and e-commerce jobs with companies in Ramallah. But by 2011 he was unemployed again. Most Yatta residents work lower-level jobs in Israel. Finding a job with the big companies usually requires wasta, personal connections that Shreateh doesn’t have.

In August, with funds running low, Shreateh decided to go back into manual labor. “I was hopeless,” he says. He called a construction company, which said they would call him back in four days. “While I was waiting, I hacked Mark,” Shreateh says with a smile.

Shreateh discovered the bug during one of his favorite hobbies, checking potential vulnerabilities based on hacker gossip (his other favorite pastime is the game Counterstrike). He first emailed Facebook’s white hat team, expecting to qualify for the company’s two-year-old bug bounty program, which has paid $1 million to some 300 white-hat hackers in 51 countries. To demonstrate the bug, he posted an Enrique Iglesias video to the profile of Sarah Goodin, one of Zuckerberg’s college friends.

Goodin’s privacy settings prevented non-friends from seeing her Timeline, so Facebook’s security team couldn’t see Shreateh’s post. Shreateh exchanged three emails with them, explaining why their access was blocked and attaching screenshots of the exploit.

Facebook’s reply was terse: “I am sorry this is not a bug. Thanks.”

That’s when Shreateh went to Facebook’s founder himself. He posted the bug report on Mark Zuckerberg’s wall, accompanied by a message:

Dear Mark Zuckerberg,

First sorry for breaking your privacy and post to your wall , i has no other choice to make after all the reports I sent to Facebook team .

My name is KHALIL, from Palestine…

Minutes later, Shreateh’s account had been disabled. Facebook engineers contacted him for details. They fixed the bug and reactivated his account but refused to pay any bounty, saying that Shreateh had violated the conditions of its bug bounty program by testing the vulnerability on a real user’s account. Facebook’s Chief Security Officer Joe Sullivan later released a statement acknowledging they’d been “too hasty and dismissive in this case,” but also blaming an “absence of detail” in Shreateh’s report. Facebook still refused to pay the reward.

The story went viral. Outraged at Facebook’s snubbing of a fellow ethical hacker, California security expert Marc Maiffret launched an appeal to the tech community. A former teen hacker who made his name by finding security flaws in Microsoft products, Maiffret is now CTO of BeyondTrust. He contributed the first $3,000 to a GoFundMe campaign to crowdfund a bounty for Shreateh’s Facebook exploit.

Within a day, donors had given more than $10,000. The final amount raised was $13,125 from 303 people across the world, mostly donated in sums of $5 or $10, many with notes congratulating Shreateh and deriding Facebook.

The West Bank town of Yatta, where Khalil Shreateh hacked Facebook’s CEO. Photo: Alice Su

The West Bank is no easy place to be a hacker, or to do anything in the technology sphere. The occupied region depends on Israel for electricity, water and telecommunications, including the sluggish Internet that crawls into the South Hebron Hills. Shreateh has a well and three water tanks on his roof because Yatta only receives several days of running water every few months. Blackouts are common, and the town often goes without electricity for whole days in the winter.

Partly to blame is a complex system established by the Oslo accords that splits the West Bank into three zones under different combinations of Palestinian and Israeli control. “It’s like Swiss cheese,” says George Khadder, a tech entrepreneur who worked in Silicon Valley for 13 years. He sketches how Zones A, B and C weave in, out and around each other, with chunks of Israeli settlement territory in between. “The West Bank is like an archipelago, in terms of contiguity and services. This is absolutely a problem.”

This access gap is clear on the drive from Jerusalem to Yatta, which requires passing through a military checkpoint that bars Shreateh from entering Israel. The road to Yatta passes several Israeli settlements, sprawling over hilltops with their separate telecom systems, brightly lit streets and green, well-watered lawns. “The dogs in Israel drink more water than Palestinians,” the taxi driver laughs.

Shreateh now lives in Ramallah, where the situation is a little better. He comes home on weekends, as does Nibal, who is studying dentistry in Abu Dis. “He’s the only one who does this computer stuff,” she says. “Our family geek.”

Their nieces are rambunctious, dancing to an Arabic music channel blaring from the television and yelling about the Eid al-Adha crowds in Hebron. They parade around the kitchen table, showing off the new clothes they’ve just bought for the Muslim holiday – matching turtlenecks with faux fur vests – while Shreateh’s sisters laugh and croon that yes, the girls look very pretty.

Only Shreateh is oblivious to the family buzz. He sits at a small table next to the refrigerator, wholly engrossed in his laptop screen, flicking back and forth between Hacker News, exploit forums and his own security projects. He typically stays up until 2 a.m., clacking away on the keyboard as the rest of Yatta sleeps.

“He’s listening to Linkin Park,” Nibal says, adding that she finds it funny how “geeks everywhere like the same music.”

Shreateh has his own website and 44,156 followers on Facebook, many of whom spam him with questions about hacking into their boyfriends’ profiles or raising their exam grades online. Shreateh ignores them. “I am an ethical hacker,” he says. “I don’t damage or destroy.”

That makes him different from some other Palestinian hackers. The same month as Shreateh’s Facebook prank, hacktivists hijacked Google’s Palestine domain, redirecting it to a page with a Rihanna background song and written message: “uncle google we say hi from palestine to remember you that the country in google map not called israel. its called Palestine”

This month, another group called KDMS hacked the websites of security companies AVG and Avira, among other companies, redirecting to a site displaying the Palestinian flag, a graphic of Palestinian land loss, and a similar message: “we want to tell you that there is a land called Palestine on the earth,” it read in part. “this land has been stolen by Zionist.’

Shreateh dismisses these attacks as counterproductive. “They hacked to put a message about Palestine,” he says. “But some will say ‘Look, Palestinians are mindless. They hack everything, that’s bad.’ … Some people break the law to send a message, but I will send a message with my own name, not with a nickname. I can send a message without damaging a website.”

He shrugs off KDMS’s invective about good Palestinians versus bad Israelis, but bubbles over when the conversation turns to good hackers versus bad hackers. He’s a citizen of the Internet, disconnected from the Israeli-Palestinian situation, wrapped in the superhero role of upholding a hacker’s ethical code in a virtual, non-occupied world.

“There is no security today. No one is secure,” Shreateh says. That’s why people need ethical hackers to protect systems against the nonstop threat of security vulnerabilities and the black-hat hackers who exploit others for fame and money. There’s a moment of truth when you decide to take the white hat path, Shreateh says, a fork in the road when any hacker discovers a bug and decides to publicize it or get it closed instead of exploiting it for personal gain.

“I think, if someone hacks and takes my money, how do I feel?” Shreateh asks. “You treat people how you want them to treat you.”

As for Israeli hackers, he sees them as inferior, babied by the privilege of living without occupation. “Israeli hackers all come from university classes. They have companies and courses to teach them,” Shreateh scoffs. “Palestinian hackers come from Google search and YouTube videos. We all learned on our own.”

Shreateh smiles, kicks off his rubber slippers and opens his laptop to check his Facebook page, which has been receiving a steady flow of messages all afternoon. He scrolls through the flood of bug reports, Metasploit gossip, requests for hacking advice and fan mail in Arabic and broken English. He chuckles at some comments and Likes others, then opens khalil-shreateh.com, pausing on the still-incomplete website for a moment. “I am the only ethical hacker in Palestine,” Shreateh says, puffing out his chest. “But for sure, there will be more like me in the future.”